A serious security flaw has been uncovered in GitHub that could let hackers run arbitrary code on GitHub.com and GitHub Enterprise Server. The vulnerability was discovered by researchers at Wiz and has since been patched. It involves how GitHub handles server-side “git push” commands, which are used to upload code to repositories.

How the Bug Worked

The flaw, identified as CVE-2026-3854, exploited a weakness in GitHub’s internal processing of git push requests. When developers push code, GitHub processes this data on the server using an internal component called X-STAT. Researchers found that malicious input could be crafted to pass through X-STAT in a way that allowed command injection.

This meant an attacker with authentication could send a specially crafted push that would trick GitHub into executing arbitrary commands on the server. Since this processing happens automatically during normal repository operations, it opened the door for remote code execution without needing direct access to the server.

Severity and Impact

The vulnerability was rated as nearly critical, with a CVSS score of 8.8 out of 10. GitHub quickly released patches for affected versions of GitHub Enterprise Server, specifically versions 3.14.25 to 3.20.0. GitHub.com was also patched promptly. Despite the swift response, Wiz researchers stated that at the time of disclosure, about 88% of Enterprise Server instances exposed to the internet remained vulnerable.

The impact of this flaw was significant. On GitHub.com, it could lead to remote code execution on shared storage nodes, risking the security of millions of repositories. For self-hosted GitHub Enterprise environments, the bug could allow full control over the affected server, including access to all stored repositories and internal secrets.

Discovery and Response

The flaw was uncovered using advanced AI-assisted reverse engineering tools, marking one of the first times such technology was used to find a critical vulnerability in closed-source software. Wiz researcher Sagi Tzadik highlighted that this represents a new shift in security research, making it easier to identify complex bugs in proprietary systems.

GitHub responded quickly after the bug was reported, releasing patches within hours. The company also emphasized the importance of updating affected systems immediately to prevent exploitation. While the bug is technically complex, Wiz’s analysis indicated it is surprisingly easy to exploit once the malicious input is crafted.

This vulnerability underscores the importance of security in software supply chains and shows how sophisticated tools are changing vulnerability discovery. Organizations using GitHub Enterprise Server are urged to ensure they are running the latest versions to stay protected from potential attacks.

Inspired by

• https://www.infoworld.com/article/4164930/critical-github-rce-bug-exposed-millions-of-repositories-2.html

Sources

• git-scm.com
• nist.gov
• csoonline.com
• hex-rays.com
• wiz.io